Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Odd urls in Tools/whos online


FWR Media

Recommended Posts

Hi

 

I'm seeing very odd redirects when I look at Tools/Whos online

 

They are like this and there's loads of them ..

 

oscommerce/redirect.php?action=url&goto=nextermest%2ecom

 

I'm wondering if someone has hacked a script into the shop.

 

Where does it go? go to ..

 

http://nextermest.com

Link to comment
Share on other sites

its possible. check your host's logs who uploaded what. There is an "antivirus" exe to d/l from that site I checked it with what I have but could not see anything with the a/v tools. could be spyware of course. seems suspicious the whois shows the site as "not active"

Link to comment
Share on other sites

its possible. check your host's logs who uploaded what. There is an "antivirus" exe to d/l from that site I checked it with what I have but could not see anything with the a/v tools. could be spyware of course. seems suspicious the whois shows the site as "not active"

 

 

I'm new at analysing raw logs .. obviously the vast majority are "GET" what am I looking for?

Link to comment
Share on other sites

Upload a new (default and unedited) root level redirect.php file. Delete the old one first.

 

Set 'Use Cache' to false in your osC admin panel.

 

Change the last line of both configure.php files to read 'mysql' where indicated.

 

These last two will give your site some protection against infected files from other sites contaminating yours. The first one shoud remove any hack from the redirect.php file (if one exists).

 

Last, but not least, check in your osC admin panel, under Tools --> Server Info which version of php your hosting company is running. If it's anything less than 4.3.10 (patched) then it is vulnerable to hacking.

 

It does look like a hack.

 

Vger

Link to comment
Share on other sites

We are seeing the same activity - whos online shows the urls requested as:

 

/catalog/redirect.php?action=url&goto=nextermest%2ecom

 

 

Access Log shows:

 

[01/Sep/2005:19:09:05 -0400] "GET /catalog/redirect.php?action=url&goto=ourwebsite.com/catalog/redirect.php%3faction=url%26goto=nextermest%252ecom HTTP/1.1" 302 38 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" "osCsid=4314bf9cdeac687fa8585fe70d6c48ce"

 

So it looks like they are trying to redirect from a redirect... probing for vunerabilities?

 

Any greater php gurus out there able to work out if there is a vunerability that needs plugging?

 

Cheers

Rob

Link to comment
Share on other sites

Thanks for the reply, I'm still confused however.

 

 

Upload a new (default and unedited) root level redirect.php file.  Delete the old one first.

 

Why? if it's been altered i need to know how.

 

Set 'Use Cache' to false in your osC admin panel.

 

Already was set to false

 

Change the last line of both configure.php files to read 'mysql' where indicated.

 

I was already using database driven sessions.

 

Last, but not least, check in your osC admin panel, under Tools --> Server Info which version of php your hosting company is running.  If it's anything less than 4.3.10 (patched) then it is vulnerable to hacking.

 

It does look like a hack.

 

Vger

 

I am using 4.4.0

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...